Main navigation

New York Department of Financial Services Implements New “First-in-the-Nation” Cybersecurity Regulations

White Collar WatchMarch 2017

As of March 1, 2017, New York financial institutions subject to the oversight of the New York Department of Financial Services (“DFS”) are required to comply with a new cybersecurity regulatory scheme. Compliance deadlines for certain measures are coming as early as August 28, 2017. Affected financial institutions should take action now to ensure timely compliance.

Following months of public comments and revisions, DFS’ new cybersecurity regulations, 23 NYCRR §§ 500.00-500.23, went into effect on March 1, 2017.1 Entitled “Cybersecurity Requirements For Financial Services Companies,” these “first-in-the-nation”2 cybersecurity rules are “designed to promote the protection of customer information as well as the information technology systems of regulated entities.” In short, the regulations require New York financial institutions subject to the oversight of DFS (“Covered Entities”) to adopt a robust cybersecurity program and policy, and the first compliance deadline is coming this summer.

Failure to comply with the new regulations may result in fines or other civil penalties. Here are the specific deadlines for the new measures that you need to be aware of:

August 28, 2017: 180-Day Transition Period Ends

Although the new regulations went into effect on March 1, 2017, DFS has provided for a transition period, which ends after 180 days, or August 28, 2017. Covered Entities are required to be in compliance with a number of the new regulations by that date. Covered Entities will then have additional time to comply with certain enumerated regulations, which are described below.

February 15, 2018: First Certification of Compliance Due to DFS

Beginning on February 15, 2018, and continuing on an annual basis thereafter, Covered Entities must submit to the superintendent of DFS a written statement certifying that the Covered Entities are in compliance with the regulations.3

March 1, 2018: One-Year Additional Transition Period Ends

By March 1, 2018,4 a Covered Entity must be in compliance with the following provisions:

Regulations concerning the annual report of the Chief Information Security Officer (“CISO”) to the Covered Entity’s board of directors.5

By March 1, 2019,16 a Covered Entity must be in compliance with regulations concerning third-party service providers.17 Essentially, this regulation will require a Covered Entity to implement written policies and procedures designed to ensure that a Covered Entity’s vendors and other third parties with access to nonpublic information employ adequate cybersecurity practices.